MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 190ab20809cf0e5dee4860df81f3151e95b23f9840f02ab3e9ad2f7cc02f46d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 190ab20809cf0e5dee4860df81f3151e95b23f9840f02ab3e9ad2f7cc02f46d5
SHA3-384 hash: f2a3552581a771f08494ccce84b210e5b1cdbe1b8eb3375db6e3ee063953666475d16ed7123f68ab5c51a41b2cf44f4a
SHA1 hash: 8686e708f26cb7dc7970efb5f979225e9dbc220a
MD5 hash: 232ebfa659e842c4c06e7f3a2d68db77
humanhash: eighteen-hydrogen-oven-johnny
File name:Commande 07.12.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:277'597 bytes
First seen:2023-07-13 07:42:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:/Ya6TLfgTIv1kQzQmTYEsXj30jXQRz4YZ9/+OPWxs5dm9eH:/YBLfgTIdksPTiTITYj/+OPWeDmMH
Threatray 3'276 similar samples on MalwareBazaar
TLSH T11844121CEA64F193D59390334C774B2A2EF9E62558AC9A0F27302BACBD766D1C80F751
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Commande 07.12.exe
Verdict:
Malicious activity
Analysis date:
2023-07-13 07:56:39 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/37b21d45-2f0e-4df4-a5d0-9331562a7bc3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/417289/
Detection(s):
Sanesecurity.Malware.28885.BadCo.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.20737.15814.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97394/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64afab0d57d1eb6a904f64e7/reports/7bd72a92-6939-4c54-abcd-b97c9f38c89e/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/190ab20809cf0e5dee4860df81f3151e95b23f9840f02ab3e9ad2f7cc02f46d5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8163311-40c2-4294-991a-9baa0019d0d5
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1272357
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1272357 Sample: Commande_07.12.exe Startdate: 13/07/2023 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 7 other signatures 2->44 10 Commande_07.12.exe 18 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\sfesniyrd.tm, DOS 10->28 dropped 30 C:\Users\user\AppData\Local\...\xhkbszzi.dll, PE32 10->30 dropped 54 Detected unpacking (changes PE section rights) 10->54 56 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->56 58 Maps a DLL or memory area into another process 10->58 60 Tries to detect virtualization through RDTSC time measurements 10->60 14 Commande_07.12.exe 10->14         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 17 explorer.exe 1 14->17 injected process8 dnsIp9 32 www.alfahifurniture.com 156.241.14.100, 49719, 80 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 17->32 34 dns.ladipage.com 13.215.123.39, 49718, 80 AMAZON-02US United States 17->34 36 2 other IPs or domains 17->36 46 System process connects to network (likely due to code injection or exploit) 17->46 21 wlanext.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/190ab20809cf0e5dee4860df81f3151e95b23f9840f02ab3e9ad2f7cc02f46d5/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-12 13:18:58 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=deflecajz4hf33simdpyd4yvd2k3ep4yidycvm7jvuxxzqbpi3kq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0678008b99744da75d64b17e189a5f8934780a0ddf2384d8c24e4240f796dc34
Formbook
6e5b648d1e574dfbbd6337c6d11b851b2b12efec1f0ae59b1327e0dce1dfe7e6
Formbook
88dab0ee02a70b83cb4c99ffa6e809c2789c9e1d55cdcd92454f73bf9d5effa4
Formbook
97bd79e26600f552bfb5764aec1606acb63b830b5fefb807d12fe2088854a3cc
Formbook
a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9
Formbook
b80d975ddd8e28bf201a5dd08cbfa50ef211aa5600f33b4c10e6d72068864f13
Formbook
cc1e18df25ea2f4e3a97b78ceb434ba61318eae9ee868d62bb1b3b8e9dbf2c7c
Formbook
cfd843a4218fd91e46bf20068627e94bcc20cf68ec6a84ad4811d39b8c6c7ccd
Formbook
ead9b9c37d63a3b18959e6f4926d76364408f76ed882fad8e8b34ec496702bda
Formbook
ec07b80aca87a969c2f7c5c5a6ff490cb510c27dc68781e96facfafe9cbfb03a
Formbook
+ 3'266 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:b0y4 rat spyware stealer trojan
Link:
https://tria.ge/reports/230713-jj97psgf9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook payload
Formbook
Unpacked files
SH256 hash:
560a9b0e9d5d406af75baa86e522139291f063b7d2662b88a89978a34a7eacf9
MD5 hash:
2a7a16c0b7f755e0ba6fcc523b1b7d39
SHA1 hash:
3bbce8f98dfa8ecb00aad81a1e6708cd4cd5077d
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/4726f5c5-4aa1-4a39-b357-2b3bc7c35552/
Parent samples :
190ab20809cf0e5dee4860df81f3151e95b23f9840f02ab3e9ad2f7cc02f46d5
7bf47a92fadd875caa70db94a8ef153f7e63296357619e23a27b2d4e0a6a2bde
aae4507b359991ebb7102b2531f939178db88102ac66b5307e5ea065d94639ea
e205d9c4dd9d23e24942ad2d1439821f4fef2b7743e60a9731af35198a95eb5b
5bad70f6450f10a687e5fd74019fbfa8efc9a70069c049b252dd0e2d0fd932ac
SH256 hash:
190ab20809cf0e5dee4860df81f3151e95b23f9840f02ab3e9ad2f7cc02f46d5
MD5 hash:
232ebfa659e842c4c06e7f3a2d68db77
SHA1 hash:
8686e708f26cb7dc7970efb5f979225e9dbc220a
Link:
https://www.unpac.me/results/4726f5c5-4aa1-4a39-b357-2b3bc7c35552/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 190ab20809cf0e5dee4860df81f3151e95b23f9840f02ab3e9ad2f7cc02f46d5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/417289/

Comments